Back to Intelligence

StealC, Mistic Backdoor & KimJongRAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 28, 2026
5 min read

Recent OTX pulses highlight a surge in diverse cyber threats targeting enterprise credentials and infrastructure. A major disruption operation (Endgame) has impacted the Amadey and Stealc botnets, yet the ecosystem remains active with new variants like Lumma Stealer. Simultaneously, the threat actor Woodgnat is deploying the novel Backdoor.Mistic and ModeloRAT to facilitate ransomware operations via initial access brokering. Separately, the North Korean Kimsuky group continues to evolve KimJongRAT using legitimate infrastructure like GitHub, while a new actor JINX-0164 targets crypto organizations via LinkedIn phishing with custom macOS malware (AUDIOFIX, MINIRAT). Collectively, these campaigns emphasize the relentless pursuit of valid credentials and persistence mechanisms.

Threat Actor / Malware Profile

StealC & Amadey (Infostealer MaaS)

  • Distribution: Delivered via cybercrime services, often bundled with other loaders or phishing attachments.
  • Behavior: StealC harvests credentials, cookies, and crypto-wallet data from browsers and apps. Amadey functions as a botnet and loader, downloading secondary payloads.
  • C2: Communicates with hard-coded domain names (e.g., microsoft-telemetry.at) and IP-based C2 servers.
  • Persistence: Uses scheduled tasks and registry run keys.

Woodgnat / Mistic Backdoor (Ransomware Access Broker)

  • Distribution: Social engineering and sideloading techniques.
  • Behavior: Deploys Backdoor.Mistic and ModeloRAT to establish persistence for ransomware gangs (Qilin, Black Basta).
  • C2: Uses domains like authorized-logins.net for command and control.
  • Persistence: DLL sideloading to bypass security controls.

Kimsuky / KimJongRAT (APT)

  • Distribution: Phishing emails with shortened URLs pointing to GitHub Releases hosting malicious ZIPs.
  • Behavior: Information stealing and remote access. Uses MeshAgent for lateral movement.
  • C2: Leverages cloud infrastructure and domains like googleoba.servequake.com.

JINX-0164 (Crypto Targeting)

  • Distribution: LinkedIn social engineering posing as recruiters; supply chain attacks via npm packages.
  • Behavior: Python-based AUDIOFIX infostealer and Go-based MINIRAT targeting macOS developers.
  • C2: Domains mimicking legitimate services (e.g., teamicrosoft.com).

IOC Analysis

The provided indicators span multiple vectors requiring immediate triage:

  • Domains: High prevalence of typosquatting (e.g., microsoft-telemetry.at, teamicrosoft.com). These should be blocked at the DNS level.
  • IPs: C2 servers (e.g., 176.124.199.207, 104.200.67.46) often hosted on VPS providers. Block these on firewalls.
  • File Hashes: Multiple SHA256/MD5 hashes corresponding to loaders, droppers, and RAT payloads.
  • Operationalization: IOCs should be fed into SIEM (for correlation) and EDR (for binary blocking). Focus specifically on the hash list for StealC and Mistic to halt execution.

Detection Engineering

Sigma Rules

YAML
---
title: Potential StealC or Amadey Infostealer C2 Communication
id: 82e1c3d5-6a2b-4f7c-9e1d-3f5a7b8c9d0e
description: Detects network connections to known StealC or Amadey C2 domains and IP addresses identified in OTX pulses.
status: experimental
date: 2026/06/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        dst_ip:
            - '176.124.199.207'
            - '176.111.174.140'
            - '62.60.226.159'
            - '94.154.35.25'
            - '64.188.91.237'
            - '196.251.107.130'
            - '104.200.67.46'
        dst_domain:
            - 'microsoft-telemetry.at'
            - 'svclsc.com'
            - 'goodpanelforgoodjob.com'
            - 'googleoba.servequake.com'
    condition: selection
falsepositives:
    - Unknown
level: high
---
title: Suspicious Process Creation Related to Sideloading or Mistic RAT
id: 91f2d4e6-7b3c-5a8d-0f2e-4g6b9c0d1e2f
description: Detects potential sideloading behavior associated with Woodgnat's Mistic backdoor or generic RAT execution patterns from suspicious paths.
status: experimental
date: 2026/06/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.defense_evasion
    - attack.t1574.002
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\rundll32.exe'
            - '\svchost.exe'
            - '\regsvr32.exe'
    selection_cli:
        CommandLine|contains:
            - '.dll'
            - 'DllRegisterServer'
    selection_suspicious_path:
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - '\ProgramData\'
    condition: all of selection_*
falsepositives:
    - Legitimate software installers
level: medium
---
title: Kimsuky KimJongRAT GitHub Delivery Vector
id: 03g4h5i6-8j9k-0l1m-2n3o-4p5q6r7s8t9u
description: Detects download of potentially malicious archives from GitHub or usage of git/shortened URLs indicative of Kimsuky campaigns.
status: experimental
date: 2026/06/29
author: Security Arsenal
references:
    - https://otx.alienvault.com/
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
detection:
    selection_git:
        Image|endswith: '\git.exe'
    selection_cli:
        CommandLine|contains:
            - 'clone'
            - 'release'
    selection_suspicious_host:
        CommandLine|contains:
            - 'github.com'
            - 'bit.ly'
            - 'tinyurl.com'
    condition: all of selection_*
falsepositives:
    - Legitimate developer activity
level: low

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for network connections to known C2 infrastructure
let C2_Domains = dynamic(['microsoft-telemetry.at', 'svclsc.com', 'mi.overlapsnowbound.com', 'authorized-logins.net', 'googleoba.servequake.com', 'teamicrosoft.com', 'driver-updater.net']);
let C2_IPs = dynamic(['176.124.199.207', '176.111.174.140', '62.60.226.159', '94.154.35.25', '64.188.91.237', '196.251.107.130', '89.36.224.5', '104.200.67.46']);
DeviceNetworkEvents
| where RemoteUrl in~ (C2_Domains) or RemoteIP in (C2_IPs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for StealC, Mistic, and KimJongRAT hashes
$TargetHashes = @(    "8cef760d11d24fc2e9bbd9f770dca5105854f7ece3b0e6948d7c8b7fdd1765ea", # StealC/Amadey
    "ff8d2afd9d7f0a828592fee34ca55d1a3542f7ed", # Operation Endgame
    "3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be", # Mistic Backdoor
    "b6cab0b3aa8e56e2427f486c74588d598ae58bb0cbc0eda6939fe171cb0aed17", # AUDIOFIX/MINIRAT
    "9758e76b601798a30d903bf05052a53df80451e5c156548ce9da828f608b6470", # KimJongRAT
    "221a39856b37e3c682f62427f1e6b965b36a2405764689c914672770a01a1fa9"  # KimJongRAT
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..." -ForegroundColor Yellow
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | Where-Object { $TargetHashes -contains $_.Hash } | ForEach-Object {
        Write-Host "[!] MALICIOUS FILE DETECTED: $($_.Path) | Hash: $($_.Hash)" -ForegroundColor Red
    }
}

# Check for suspicious domains in DNS cache
Write-Host "[+] Checking DNS Cache for suspicious domains..." -ForegroundColor Cyan
$SuspiciousDomains = @("microsoft-telemetry.at", "svclsc.com", "authorized-logins.net", "teamicrosoft.com", "googleoba.servequake.com")
Get-DnsClientCache | Where-Object { $SuspiciousDomains -contains $_.Entry } | ForEach-Object {
    Write-Host "[!] Suspicious DNS Entry found: $($_.Entry) -> $($_.Data)" -ForegroundColor Red
}


# Response Priorities

*   **Immediate:** Block all listed domains and IPs at the perimeter firewall and proxy servers. Quarantine endpoints matching the provided file hashes.
*   **24h:** Initiate credential resets for accounts accessed from devices flagged with infostealer IOCs (specifically StealC, Amadey, RedLine campaigns). Investigate LinkedIn messages for JINX-0164 recruitment targeting.
*   **1 week:** Review and harden software supply chain policies (CI/CD) and implement strict allow-listing for GitHub repositories accessed by developers. Enhance email filtering to detect typosquatting and recruiter-themed social engineering.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsinfostealersstealcamadeykimjongratransomware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action